Microsoft Azure MFA protection could be leveraged

Microsoft's Azure cloud offers access protection using multi-factor authentication (MFA). Until recently, however, Microsoft made a mistake when implementing this: Attackers could have guessed verification codes for MFA. Microsoft has now solved the problem.

The IT researchers at Oasis explain in a blog post that the bypass took around an hour, required no user interaction and did not generate any notifications or any notifications for account holders. The attackers could then have gained unauthorized access to Outlook emails, Onedrive files, Teams chats, Azure Cloud and more.

Vulnerability: missing guess limit

After entering a valid username and password, users are asked to confirm their identity. Microsoft supports several MFA methods for this, including an authenticator verification code. In one session, Microsoft allowed up to ten failed attempts. By creating new sessions in quick succession and trying out verification codes, the IT researchers were able to quickly try out the one million possibilities of the six-digit code. Many attempts could be started simultaneously.

During this trial period, account holders did not receive any warning about a massive number of failed attempts, making this attack very easy to carry out. However, there is another limiting factor.

The IT researchers explain that the time frame for guessing a verification code is limited. This usually changes every 30 seconds, and most apps and validators use this setting, Oasis explains. Following the standard, however, validators allow a longer period to compensate for possible time differences and delays between users and validators. Microsoft tolerated around three minutes for a verification code to remain valid. This meant that six times more attempts could be made to test verification codes than if no tolerance had been set.

The Oasis researchers calculate that with the allowed rate of attempts, they had a three percent chance of guessing the correct code within the extended time window. Malicious actors would probably just keep going and start more sessions until they landed a valid hit. The IT security researchers had not encountered any hurdles or limits that would have prevented this. After 24 such sessions, which can be completed in 70 minutes, attackers would already have achieved a more than 50 percent probability of having caught a valid code –, even without taking into account the extended time window with more possible attempts.

The Oasis team has successfully tested this method several times. According to information from the IT researchers, Microsoft reacted and implemented a final fix for the problem in October. However, details of the Microsoft solution are confidential. In any case, a much stricter rate limit has been introduced.

(dmk)